After almost a decade of legislative struggles, on March 24, the Turkish Parliament finally adopted the Law on the Protection of Personal Data. The law is Turkey's first specific set of parliamentary rules addressing data protection concerns in all sectors.

It continues to be a big year from a data protection perspective for Turkish citizens and corporations alike. In February, Parliament ratified the much anticipated Council of Europe's 1981 Strasbourg Convention for the Protection of Individuals with regard to Automatic Processing of Data. This ratification signaled that data protection was high on Parliament's agenda, and now with the adoption of the law, Turkey finally has a set of rules that reflect, to a large extent, the EU Data Protection Directive (95/46/EC).

Changes in Parliament

In our previous update, we provided our initial comments on the draft law that had been referred to the Legislative Commission of Parliament for parliamentary discussions.

Although it has yet to be officially published, below you may find our preliminary comments on some of the changes made during the parliamentary discussions, which will be reflected in the new law.

The key changes affect articles on sensitive data, cross-border data flows, composition of the DPA's board and transition periods.

  • Sensitive Data: The law defines "sensitive personal data" as personal data related to race, ethnicity, political opinion, philosophical belief, religion, religious sect or other beliefs, clothing, membership in an association, foundation or union, health, sexual life, criminal conviction and security measures as well as biometric data. Parliament has not made any changes to the types of data classified as sensitive, but it has introduced enhanced protections for data related to health and sexual life.
  • Cross-Border Data Flows: Parliament has not significantly altered the rules on cross-border data transfers. In this respect, transfers to jurisdictions that do not offer an adequate level of protection will continue to be subject to certain additional conditions. Parliament, however, added to the law that in cases where Turkey or the data subject’s interest will be significantly damaged, personal data may be transferred abroad only with the data protection authority’s permission and by obtaining the opinion of the relevant public institutions or organization. At this stage, it is not possible to draw an accurate picture of how this new rule will be applied in practice. In the future, we can also expect the Data Protection Authority to offer some guidance on the specific areas and cases where this additional provision would be applicable.
  • Composition of the Data Protection Authority's Board: The board will be the decision making body of the data protection authority. Critiques of the initial text were predominantly focused on the independence of the DPA. As a result, Parliament has made significant changes in this regard, but only future practice will reveal whether these changes will ensure the independence of the DPA as required under the corresponding EU Directive.
  • Transition Periods: The draft law contained certain transition periods, which have been maintained in the final text. Accordingly, for example, rules on the cross-border transfer of personal data will enter into force six months after the law's publication. Parliament also added another transition period provision, according to which consent lawfully obtained prior to the entry into force of the law will be deemed valid if the data subjects do not object within one year.

Next Steps

The law will enter into force once it is published in the Official Gazette, which is expected to happen in the next few weeks. The law, however, envisages a transition period for certain provisions to allow time to ensure compliance with the newly introduced rules and standards.

The law sheds light on significant ambiguities and fills in legal gaps. Most notably, it:

  • defines concepts such as "personal data," "sensitive data," "explicit consent" and "data controller,"
  • lists the legitimate purposes for data processing, 
  • regulates the international transfer of personal data,
  • imposes rules on data controllers for retention periods and standards,
  • provides details on the rights of data subjects,  and
  • establishes a data protection authority to act as the regulator.